core: tee_svc_cryp.c: replace get_used_bits()

Prior to this patch was get_used_bits() called in
tee_svc_cryp_obj_populate_type() to check that a bignum isn't too large.
While the code works it's mor

core: tee_svc_cryp.c: replace get_used_bits()

Prior to this patch was get_used_bits() called in
tee_svc_cryp_obj_populate_type() to check that a bignum isn't too large.
While the code works it's more complicated than necessary. The bignum
has just been imported so the normal bignum functions can be used
directly instead of copying the user space buffer again and feed it to
bit_ffs(). So replace the call to get_used_bits() with a call to
crypto_bignum_num_bits() on the newly imported bignum.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: use BB_MEMDUP_USER() where needed

Uses BB_MEMDUP_USER() instead of bb_memdup_user() where the destination
buffer isn't a void * in order to avoid using a extra void * variable to
handle the ou

core: use BB_MEMDUP_USER() where needed

Uses BB_MEMDUP_USER() instead of bb_memdup_user() where the destination
buffer isn't a void * in order to avoid using a extra void * variable to
handle the output pointer from bb_memdup_user().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ldelf: apply finer-grained PAN

Prior to this commit, PAN was disabled when executing ldelf syscalls.
With the new user buffer aware ts_store API we can now enable
finer-grained PAN in ldelf sy

core: ldelf: apply finer-grained PAN

Prior to this commit, PAN was disabled when executing ldelf syscalls.
With the new user buffer aware ts_store API we can now enable
finer-grained PAN in ldelf syscalls.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: update ts_store API with user space buffer

Updates the read() function pointer in struct ts_store_ops to take an
user space buffer in addition to the previous core buffer. Core buffers
are nor

core: update ts_store API with user space buffer

Updates the read() function pointer in struct ts_store_ops to take an
user space buffer in addition to the previous core buffer. Core buffers
are normal secure memory while user space buffers should only be accessed
using the user_access.h functions.

The different TA storage implementations are updated accordingly.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: add BB_MEMDUP_USER() and BB_MEMDUP_USER_PRIVATE()

Adds BB_MEMDUP_USER() and BB_MEMDUP_USER_PRIVATE() wrapper macros to
allow non-void pointer destination.

Signed-off-by: Jens Wiklander <jens.

core: add BB_MEMDUP_USER() and BB_MEMDUP_USER_PRIVATE()

Adds BB_MEMDUP_USER() and BB_MEMDUP_USER_PRIVATE() wrapper macros to
allow non-void pointer destination.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: caam: remove dead code

Remove value check as it cannot be true and appears to be dead code.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@li

drivers: caam: remove dead code

Remove value check as it cannot be true and appears to be dead code.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: free resource upon sgtbuf initialization failure

Call caam_dmaobj_free() upon caam_dmaobj_input_sgtbuf() failure
to free buffer allocated by caam_dmaobj_input_sgtbuf().

Signed-off-b

drivers: caam: free resource upon sgtbuf initialization failure

Call caam_dmaobj_free() upon caam_dmaobj_input_sgtbuf() failure
to free buffer allocated by caam_dmaobj_input_sgtbuf().

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: on RSA public key import calculate CKA_MODULUS_BITS

When RSA public key is created with C_CreateObject() CKA_MODULUS_BITS is
not allowed to be specified.

The tooling like pkcs11-tool ex

ta: pkcs11: on RSA public key import calculate CKA_MODULUS_BITS

When RSA public key is created with C_CreateObject() CKA_MODULUS_BITS is
not allowed to be specified.

The tooling like pkcs11-tool expects that the value is there.

In specification it is not specified clearly that it needs to be
calculated but it is assumed to be in the RSA public key object.

Calculate the value and add it to the object during RSA public key import.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

MAINTAINERS: Update Corstone1000 maintainer

Update maintainer of ARM Corstone1000 to Emekcan Aras.

Signed-off-by: Xueliang Zhong <xueliang.zhong@arm.com>
Acked-by: Vishnu Banavath <vishnu.banavath@

MAINTAINERS: Update Corstone1000 maintainer

Update maintainer of ARM Corstone1000 to Emekcan Aras.

Signed-off-by: Xueliang Zhong <xueliang.zhong@arm.com>
Acked-by: Vishnu Banavath <vishnu.banavath@arm.com>
Acked-by: Emekcan.Aras@arm.com <emekcan.aras@arm.com>

show more ...

core: riscv: Add definitions of CLINT for platform spike

Add definitions for base address of CLINT, otherwise build failure
occurs for platform spike.

Signed-off-by: Alvin Chang <alvinga@andestech.

core: riscv: Add definitions of CLINT for platform spike

Add definitions for base address of CLINT, otherwise build failure
occurs for platform spike.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: pta: imx: disable access control for MP PTA

Allow opening the PTA without a calling session.

Enabling CFG_NXP_CAAM_MP_NO_ACCESS_CTRL permits users to use the OP-TEE
client interface to retrie

core: pta: imx: disable access control for MP PTA

Allow opening the PTA without a calling session.

Enabling CFG_NXP_CAAM_MP_NO_ACCESS_CTRL permits users to use the OP-TEE
client interface to retrieve the public key as well as to generate
signatures.

See https://github.com/OP-TEE/optee_client/pull/352

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

libutils: mempool: fix unbalanced put_pool()

Prior to this patch mempool_free() unconditionally called put_pool(),
but if the "ptr" argument is NULL it means that there hasn't been a
corresponding c

libutils: mempool: fix unbalanced put_pool()

Prior to this patch mempool_free() unconditionally called put_pool(),
but if the "ptr" argument is NULL it means that there hasn't been a
corresponding call to get_pool(). Fix this only calling put_pool() for
non-NULL pointers.

Fixes: a51d45b52503 ("libutils: mempool based raw malloc functions")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

scripts: add derive_rpmb_key.py

Adds the script derive_rpmb_key.py that can derive the RPMB key OP-TEE uses
offline or in normal world during a production step.

Signed-off-by: Jens Wiklander <jens.

scripts: add derive_rpmb_key.py

Adds the script derive_rpmb_key.py that can derive the RPMB key OP-TEE uses
offline or in normal world during a production step.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ltc: rsa_verify_hash: fix panic on hash mismatch

When running a test with CFG_FAULT_MITIGATION=y and with a corrupted
message, hash verification fails and panic TEE core:

F/TC:? 0 trace_sysca

core: ltc: rsa_verify_hash: fix panic on hash mismatch

When running a test with CFG_FAULT_MITIGATION=y and with a corrupted
message, hash verification fails and panic TEE core:

F/TC:? 0 trace_syscall:149 syscall #40 (syscall_asymm_verify)
E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check>
E/TC:2 0 TEE load address @ 0x43200000
E/TC:2 0 Call stack:
E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91
E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32)
E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87
E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349
E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669
E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420
E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140
E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115
E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850

When CFG_FAULT_MITIGATION flag is enabled, ftmn_set_check_res_memcmp()
is used on the verification of RSA hash. ftmn.check.res is set with the
return value of the hash comparison. Since memcmp() is used, this can
be 0, when hash matches, or any non-zero number when hash does not match.

However, the value stored on ftmn.check.res is later compared with the
result of the signature comparison (!*stat), which can assume only two
values, 1==valid or 0==invalid.

With that, when ftmn_set_check_res_memcmp() returns any non-zero number,
force ftmn.check.res to 1 so that it matches the check with later
FTMN_CALLEE_DONE_CHECK().

Signed-off-by: Felix Freimann <felix.freimann@mediatek.com>
Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

arm: aspeed: Update secure memory layout

Update the TZDRAM region based on the 1GB DRAM space of
Aspeed AST2600/AST2700 EVBs.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
Acked-by: Je

arm: aspeed: Update secure memory layout

Update the TZDRAM region based on the 1GB DRAM space of
Aspeed AST2600/AST2700 EVBs.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: plic: Refine interrupt targets from hartid to context

The PLIC specification says the interrupt targets are usually hart
contexts, where a hart context is a given privilege mode on a given

drivers: plic: Refine interrupt targets from hartid to context

The PLIC specification says the interrupt targets are usually hart
contexts, where a hart context is a given privilege mode on a given
hart. Therefore, PLIC driver should not only consider the HART ID, but
also current privilege mode. Refine it by introducing the function
called plic_get_context(), which translates the current HART ID into the
PLIC context ID. We assume that each hart has M-mode and S-mode,
therefore M-mode occupies even-numbered context ID, while S-mode
occupies odd-numbered context ID. The translation can be extended by
parsing device tree, submitted in future commits.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

riscv: plat-virt: Rename to latest interrupt controller functions

Rename main_init_plic() to boot_primary_init_intc(). Rename
main_secondary_init_plic() to boot_secondary_init_intc(). Also the
inclu

riscv: plat-virt: Rename to latest interrupt controller functions

Rename main_init_plic() to boot_primary_init_intc(). Rename
main_secondary_init_plic() to boot_secondary_init_intc(). Also the
include path of RISC-V PLIC driver header is fixed.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Load register TP from thread_user_mode_rec in trap handler

RISC-V kernel uses TP register to store thread_core_local structure.
When the thread enters user mode, the value of TP is used

core: riscv: Load register TP from thread_user_mode_rec in trap handler

RISC-V kernel uses TP register to store thread_core_local structure.
When the thread enters user mode, the value of TP is used by user mode.
Therefore, when CPU enters trap handler, it needs to restore TP to get
thread_core_local structure. In previous implementation, the value of TP
is saved under kernel SP before entering user mode, and the trap handler
restores TP from that stack location. However, the value of TP has
already been saved into the thread_user_mode_rec structure, which is
also upon kernel SP, before entering user mode. So the value of TP can
be restored just from thread_user_mode_rec, instead of saving into
another location which is under the kernel SP.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Support Privileged Access Never by CSR status.SUM bit

The SUM (Supervisor User Memory access) bit modifies the privilege with
which S-mode loads and stores the user virtual memory. When

core: riscv: Support Privileged Access Never by CSR status.SUM bit

The SUM (Supervisor User Memory access) bit modifies the privilege with
which S-mode loads and stores the user virtual memory. When SUM bit is
0, S-mode accesses to pages whose U bit of corresponding PTE is set will
fault. When SUM bit is 1, these accesses are permitted.

When CFG_PAN is disabled in RISC-V architecture, the status.SUM bit is
initialized as 1 by default. Therefore all accesses to user pages will
succeed. When CFG_PAN is enabled, the status.SUM bit is initialized as
0, and only set to 1 when kernel needs to access user pages.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Fix thread_rpc() wrong stack usage and CSR value

Since there are four registers to be stored onto stack, we should
preserve up to 32 bytes space on the stack instead of only 16 bytes,
o

core: riscv: Fix thread_rpc() wrong stack usage and CSR value

Since there are four registers to be stored onto stack, we should
preserve up to 32 bytes space on the stack instead of only 16 bytes,
otherwise the stack overflow occurs. The s0 is regarded as frame
pointer. The value of CSR status is also restored before returning from
thread_rpc().

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Fix width of status CSR

Since we also support RV64 with 64-bit register width, fix the width of
status CSR by declaring it as "unsigned long" and encoding it by general
bit-wise operati

core: riscv: Fix width of status CSR

Since we also support RV64 with 64-bit register width, fix the width of
status CSR by declaring it as "unsigned long" and encoding it by general
bit-wise operations instead of invoking fixed-width API.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

plat-marvell: Add support for CN10K SoCs

Add support for CN10K SoCs from Marvell.

Only tested 64-bit mode with default configurations:

1. Build command
make PLATFORM=marvell-cn10ka
2. Pass

plat-marvell: Add support for CN10K SoCs

Add support for CN10K SoCs from Marvell.

Only tested 64-bit mode with default configurations:

1. Build command
make PLATFORM=marvell-cn10ka
2. Passed xtest

Signed-off-by: Gowthami <gthiagarajan@marvell.com>
Reviewed-by: Anil Kumar Reddy <areddy3@marvell.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: support larger values for CFG_TEE_CORE_NB_CORE

With larger values of CFG_TEE_CORE_NB_CORE (for example, 18 on the
marvell-cnf10ka platform) CORE_MMU_BASE_TABLE_OFFSET becomes to large to
be us

core: support larger values for CFG_TEE_CORE_NB_CORE

With larger values of CFG_TEE_CORE_NB_CORE (for example, 18 on the
marvell-cnf10ka platform) CORE_MMU_BASE_TABLE_OFFSET becomes to large to
be used as an immediate value in add and sub assembly instructions. This
is handle by using the new add_imm and sub_imm macros where needed. But
the add_imm and sub_imm macros can't handle complex defines so
CORE_MMU_BASE_TABLE_OFFSET must be evaluated in asm-defines.c first.

This should fix errors like:
core/arch/arm/kernel/thread_a64.S: Assembler messages:
core/arch/arm/kernel/thread_a64.S:339: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:347: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:355: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:372: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:379: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:386: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:660: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:732: Error: immediate out of range
make: *** [mk/compile.mk:165: out/core/arch/arm/kernel/thread_a64.o] Error 1

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Gowthami <gthiagarajan@marvell.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm64: add add_imm and sub_imm assembly macros

Adds the add_imm and sub_imm assembly macros capable of adding or
subtracting a 24-bit immediate value to or from a general purpose
register.

Si

core: arm64: add add_imm and sub_imm assembly macros

Adds the add_imm and sub_imm assembly macros capable of adding or
subtracting a 24-bit immediate value to or from a general purpose
register.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ci.yml: Reintroduce build of libscmi-server

A previous patch temporarily removed the libscmi-server build.

Now that the related PR in SCP-firmware has been merged,
reintroduce the build step.

Link

ci.yml: Reintroduce build of libscmi-server

A previous patch temporarily removed the libscmi-server build.

Now that the related PR in SCP-firmware has been merged,
reintroduce the build step.

Link: https://github.com/ARM-software/SCP-firmware/pull/812
Link: https://github.com/OP-TEE/optee_os/pull/6190

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Nicola Mazzucato <nicola.mazzucato@arm.com>

show more ...